From ce99a8418dde666982b96443fce6120ce35d51c3 Mon Sep 17 00:00:00 2001
From: Fredrik Wahlberg <fredrik@kvarnen.wahlberg.se>
Date: Sat, 14 May 2016 07:51:27 +0200
Subject: [PATCH] Maj #1

---
 logcheck_ignore | 32 +++++++++++++++++++++++++++-----
 testlog         | 14 ++++++++++++++
 2 files changed, 41 insertions(+), 5 deletions(-)

diff --git a/logcheck_ignore b/logcheck_ignore
index 36c45d3..8254c2d 100644
--- a/logcheck_ignore
+++ b/logcheck_ignore
@@ -133,6 +133,10 @@
 #Mar 14 18:40:24 nada dovecot: imap(johan): Disconnected for inactivity in reading our output in=603 out=253156
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\): Disconnected for inactivity in reading our output in=[[:digit:]]+ out=[[:digit:]]+
 
+#Apr 27 14:28:26 nada dovecot: pop3(kajsa): Disconnected for inactivity top=0/0, retr=0/0, del=0/67, size=517953
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (imap|pop3)\([[:alnum:]]+\): Disconnected for inactivity top=[/[:digit:]]+, retr=[/[:digit:]]+, del=[/[:digit:]]+, size=[[:digit:]]+
+
+
 #Mar 21 02:40:04 kvarnen dovecot: pop3-login: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=200.68.99.217, lip=95.170.86.14, session=<7uj4LIUuMQDIRGPZ>
 #Mar 22 13:03:22 kvarnen dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=218.29.231.21, lip=95.170.86.14, session=<zjjk/6EudwDaHecV>
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: pop3-login: (Disconnected|Aborted login) \(tried to use disallowed plaintext auth\): user=<>, rip=[.:[:digit:]]+, lip=[.:[:digit:]]+, session=<[+/[:alnum:]]+>
@@ -147,7 +151,8 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: pop3\([[:alnum:]]+\): Connection closed top=[/[:digit:]]+, retr=[/[:digit:]]+, del=[/[:digit:]]+, size=[[:digit:]]+
 
 #Mar 30 20:59:38 nada dovecot: imap(katarina): Disconnected: Disconnected in=139 out=8902
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\): Disconnected: Disconnected in=[[:digit:]]+ out=[[:digit:]]+
+#Apr 20 12:25:05 nada dovecot: imap(kajsa): Disconnected: EOF while appending in=413894 out=733
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\): Disconnected: (EOF while appending|Disconnected) in=[[:digit:]]+ out=[[:digit:]]+
 
 #Apr  6 17:17:53 nada dovecot: imap(gertie): Disconnected in APPEND (1 msgs, 0 secs, 0/44908 bytes) in=884034 out=368982
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\): Disconnected in APPEND \([[:digit:]]+ msgs, [[:digit:]]+ secs, [[:digit:]]+/[[:digit:]]+ bytes\) in=[[:digit:]]+ out=[[:digit:]]+
@@ -249,7 +254,8 @@
 
 #Mar  9 07:33:07 nada sm-mta[24033]: u296N4QZ024033: collect: premature EOM: Connection reset by [208.87.25.77]
 #Apr 15 17:29:00 nada sm-mta[687]: u3FFSq2F000687: collect: premature EOM: Connection reset by 99-198-26-191.cust.wildblue.net
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: collect: premature EOM: Connection reset by (\[)?[-.:[:alnum:]]+(\])?
+#Apr 18 11:07:40 nada sm-mta[22391]: u3I87Z3E022391: collect: premature EOM: Connection timed out with rs-mta-31.anpdm.com
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: collect: premature EOM: Connection (reset by|timed out with) (\[)?[-.:[:alnum:]]+(\])?
 
 #Mar  9 07:33:07 nada sm-mta[24033]: u296N4QZ024033: SYSERR(root): collect: I/O error on connection from [208.87.25.77], from=<noc@newwiiindows.com>
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: SYSERR\(root\): collect: I\/O error on connection from \[[.:[:digit:]]+\], from=<[-_.@[:alnum:]]+>
@@ -296,7 +302,8 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: [[:alnum:]]+: DSN: Service unavailable
 
 #Apr 14 11:05:05 nada sm-mta[15662]: u3E955KV015662: li1068-122.members.linode.com [106.184.3.122]: probable open proxy: command=GET http://www.ipip.net/ HTTP/1.1\r\n
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: [-.[:alnum:]]+ \[[.[:digit:]]+\]: probable open proxy: command=GET http://www.ipip.net/ HTTP/1.1\\r\\n
+#Apr 20 15:10:44 nada sm-mta[5182]: u3KDAiZT005182: li1068-122.members.linode.com [106.184.3.122]: probable open proxy: command=GET / HTTP/1.1\r\n
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: [-.[:alnum:]]+ \[[.[:digit:]]+\]: probable open proxy: command=GET (http://www.ipip.net)?/ HTTP/1.1\\r\\n
 
 #
 #  SPAMD
@@ -331,8 +338,8 @@
 #Apr  2 06:38:03 nada spamd[16362]: rules: failed to run NO_DNS_FOR_FROM RBL test, skipping:
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: rules: failed to run NO_DNS_FOR_FROM RBL test, skipping:
 
-
-
+#Apr 27 00:44:20 nada spamd[23159]: razor2: razor2 check failed: Invalid argument razor2: razor2 had unknown error during get_server_info at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 185. at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 325.
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: razor2: razor2 check failed: Invalid argument razor2: razor2 had unknown error during get_server_info at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 185. at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 325.
 
 #
 # SSHD
@@ -377,9 +384,22 @@
 #Apr 10 20:46:18 nada sshd[6046]: pam_unix(sshd:auth): conversation failed
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(sshd:auth\): conversation failed
 
+#May 11 19:13:29 nada sshd[10882]: pam_krb5(sshd:auth): authentication failure; logname=ai_luat uid=0 euid=0 tty=ssh ruser= rhost=218.200.188.213
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_krb5\(sshd:auth\): authentication failure; logname=ai_luat uid=0 euid=0 tty=ssh ruser= rhost=[.:[:digit:]]+
+
 #Apr 10 20:50:19 nada sshd(pam_google_authenticator)[6490]: Trying to reuse a previously used time-based code. Retry again in 30 seconds. Warning! This might mean, you are currently subject to a man-in-the-middle attack
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\(pam_google_authenticator\)\[[[:digit:]]+\]: Trying to reuse a previously used time-based code. Retry again in 30 seconds. Warning! This might mean, you are currently subject to a man-in-the-middle attack
 
+#May 11 01:17:42 kvarnen sshd[14739]: fatal: Unable to negotiate a key exchange method [preauth]
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Unable to negotiate a key exchange method \[preauth\]
+
+#Apr 27 12:36:56 kvarnen sshd[26293]: Bad protocol version identification 'GET http://clientapi.ipip.net/echo.php?info=20160427185402 HTTP/1.1' from 106.184.2.29 port 7680
+#May 13 16:59:50 kvarnen sshd[21380]: Bad protocol version identification '' from 171.13.14.52 port 59637
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad protocol version identification '.*' from [.:[:digit:]]+ port [[:digit:]]+
+
+#May  5 10:08:49 nada sshd[4523]: fatal: no hostkey alg [preauth]
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: no hostkey alg \[preauth\]
+
 
 
 #
@@ -392,3 +412,5 @@
 #Mar 11 21:10:17 nada suhosin[30832]: ALERT - configured request variable name length limit exceeded - dropped variable 
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ suhosin\[[[:digit:]]+\]: ALERT - configured request variable name length limit exceeded - dropped variable 
 
+#Apr 19 21:14:31 nada suhosin[28060]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'file' (attacker '62.210.203.159', file '/home/happysthlm/www.happysthlm.se/index.php')
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ suhosin\[[[:digit:]]+\]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'file' \(attacker '[.[:digit:]]+', file '.*'\)
\ No newline at end of file
diff --git a/testlog b/testlog
index dcc0d54..f62c124 100644
--- a/testlog
+++ b/testlog
@@ -186,3 +186,17 @@ Apr 21 22:40:41 nada saslauthd[1732]: do_auth         : auth failure: [user=back
 Apr 22 14:23:22 nada sshd[19599]: subsystem request for sftp by user petter
 Apr 23 21:41:58 nada saslauthd[1735]: do_auth         : auth failure: [user=backuppc ] [service=smtp] [realm=wahlberg.se] [mech=shadow] [reason=Unknown]
 Apr 27 00:44:20 nada spamd[23159]: razor2: razor2 check failed: Invalid argument razor2: razor2 had unknown error during get_server_info at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 185. at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 325.
+Apr 27 14:28:26 nada dovecot: pop3(kajsa): Disconnected for inactivity top=0/0, retr=0/0, del=0/67, size=5179534
+Apr 27 12:36:48 kvarnen sshd[26292]: Bad protocol version identification 'GET / HTTP/1.1' from 106.184.2.29 port 63976
+Apr 27 12:36:56 kvarnen sshd[26293]: Bad protocol version identification 'GET http://clientapi.ipip.net/echo.php?info=20160427185402 HTTP/1.1' from 106.184.2.29 port 7680
+Apr 28 06:41:57 nada sm-mta[11484]: u3S4fvP5011484: li1068-122.members.linode.com [106.184.3.122]: probable open proxy: command=GET / HTTP/1.1\r\n
+May 11 01:17:42 kvarnen sshd[14739]: fatal: Unable to negotiate a key exchange method [preauth]
+May 10 19:21:13 nada sshd[5327]: subsystem request for sftp by user petter
+May 10 13:57:54 nada dovecot: pop3(kajsa): Disconnected for inactivity top=0/0, retr=0/0, del=0/91, size=19989948
+May  9 21:06:23 nada sm-mta[8993]: u49J6NYD008993: li1068-122.members.linode.com [106.184.3.122]: probable open proxy: command=GET / HTTP/1.1\r\n
+May  6 11:19:15 kvarnen sshd[24101]: fatal: Unable to negotiate a key exchange method [preauth]
+May  5 10:08:49 nada sshd[4523]: fatal: no hostkey alg [preauth]
+May  3 16:54:08 nada spamd[18801]: razor2: razor2 check failed: Invalid argument razor2: razor2 had unknown error during get_server_info at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 185. at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 325.
+May 11 19:13:29 nada sshd[10882]: input_userauth_request: invalid user ai_luat [preauth]
+May 11 19:13:29 nada sshd[10882]: pam_krb5(sshd:auth): authentication failure; logname=ai_luat uid=0 euid=0 tty=ssh ruser= rhost=218.200.188.213
+May 13 16:59:50 kvarnen sshd[21380]: Bad protocol version identification '' from 171.13.14.52 port 59637